Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFMma9PjqMs6rFpGX9ak2BecdhzNyStO4TAG8ZUsxMSGSt=TvA@mail.gmail.com>
Date: Thu, 6 Sep 2012 22:37:25 -0500
From: Richard Miles <richard.k.miles@...glemail.com>
To: john-users@...ts.openwall.com, kevin.p.young@...il.com
Cc: Ron <ron@...llsecurity.net>, kzug <kzug10@...il.com>
Subject: Re: Passphrase Creation

Hi Kevin, John-users and Ron,

I'm a bit late to answer on this thread, sorry about that.

I'm copying Ron from SkullSecurity because he has an amazing job in my
opinion and he maintain an awesome web-site with great wordlist collection (
http://www.skullsecurity.org/wiki/index.php/Passwords). And I hope he may
helps or maybe include this kind of pass-phrase list in a next update.

Kevin, based on your description it's very clear to me that create robust
pass-phrase lists is a LOT of work and requires a good amount of disk and
even processing / creation and customization of scripts and tools. Should
be very nice if we could re-use most of your things instead of begin from
zero. Are you considering releasing your tools, scripts and pass-phrase
lists?

I noted that you worked with lower case for all pass-phrase lists, I know
some real pass-phrase passwords that I learned from different people doing
pen-test is to use the first letter of the word upper case, such as:

It
It Was
It Was a
It Aas A Dark
It Was A Dark And

Also, I think that from all cases that I saw (real admins in different
companies) no spaces were used. Well, to say the truth just one time, I
remember very clear because it called my attention.

I don't know the quality, but I found a pass-phrase based on wikiquotes:

https://sites.google.com/site/reusablesec/Home/custom-wordlists

If there is no public available pass-phrase list available, there are users
interested in build it? If there are a good number of active users
interested in build it I'm available to help.

Kzug gave an good idea in my opinion that is TextWrangler and AppleScript
to use against books / web-sites with famous quotes. However scan a
web-site and proper parse the web-sites is a pain, in special because of
too different formats, too different structures, links and formats. This
will require a BIG amount of job in my opinion.

Someone else also pointed diceware, but I'm unsure how practical such
pass-phrase would be.

I also was reading a blog about how to use twitter queries for common
phases to list other potential pass-phrases. It was just an idea in a
comment, so, I don't think if it's practical.

Thanks.

On Fri, Aug 17, 2012 at 11:04 AM, Kevin Young <kevin.p.young@...il.com>wrote:

> Hello everyone,
>
> First off, thanks to Matt, Solar Designer, and the other John-users for
> inviting me to participate in the CMIYC contest. I learned a lot and had a
> great time.
>
> I've been using passphrases for several months now and have seen some
> chatter on the subject so I thought I'd chip in. Most of my phrase creation
> is contained in a bash shell script. But I'm sure there's someone out there
> with a much better tool, method, or way to do this.
>
> Step 1. Find a good source of words
> As mentioned in other posts, the Gutenberg project is a good source. I've
> also tried mining the Library of Congress, and a few others.
>
> Step 2. Store and organize
> Storage proved an early challenge as I underestimated the space
> requirements. The 15,000 raw (unprocessed) books I currently have fill a
> 300GB drive. It doesn't sound like much, but things grow quickly. A SSD
> helps as disk I/O becomes a bottleneck.
>
> Step 3. Download your material
> I use a simple wget loop here. Don't saturate the bandwidth of your source
> or you'll get booted.
>
> Step 4. Scrub raw input
> Strip special characters and punctuation. Convert to lowercase and remove
> excess space characters (sed and awk). Convert between file formats if
> necessary (dos2unix, unix2dos, or unix2mac). Using these commands I create
> a single long "sentence".
>
> Before:
> It was a dark and stormy night. All the animals were asleep.
> Somewhere overhead a flash of lightning illuminated the canyon walls
> followed by the thunder's rumble.
>
> After:
> it was a dark and stormy night all the animals were asleep somewhere
> overhead a flash of lightning illuminated the canyon walls followed by the
> thunders rumble
>
> Step 5. Phrase length and create phrases
> I've tried phrase lengths from 3-10 words. Using the above example, a
> 5-word length, and custom app (arrays and recursion are your friend here)
> phrase creation begins:
>
> it
> it was
> it was a
> it was a dark
> it was a dark and
> was
> was a
> was a dark
> was a dark and
> was a dark and stormy
> a
> a dark
> a dark and
> a dark and stormy
> a dark and stormy night
> dark
> dark and
> dark and stormy
> dark and stormy night
> dark and stormy night all
> and
> and stormy
> and stormy night
> and stormy night all
> and stormy night all the
>
> I also create a no-space version at the same time. (Is there a mangling
> rule that can handle this?)
>
> itwas
> itwasa
> itwasadark
> itwasadarkand
> wasa
> wasadark
> wasadarkand
> wasadarkandstormy
>
> Step 6. Optimize and reduce
> As expected there are lot of duplicates so my script performs a dictionary
> sort and filters out the duplicates (sort and uniq). I also filter out
> (grep) things like open source verbiage, distribution notices, credits,
> etc.
>
> Step 7. You're done
> I typically get 1-5 million phrases per book. It isn't optimal but the
> combinations are vast. (See sample phrases submitted for CMIYC 2012.) I've
> plucked thousands of similar phrases from LinkedIn and Stratfor  -- some
> were as long as 28 characters. = : )
>
> So there it is...I'm sure there are better ways to do this and I clearly
> have a lot to learn. (Perhaps mangling rules can solve many of the above
> mentioned hurdles?) I still have a LOT of things to do to improve the
> process but I'll save those tricks for CMIYC 2013 ;)
>
> Thanks go to Matt Weir for his willingness to share a password dialog. I
> also throw a shout to @joshdustin (
> http://7habitsofhighlyeffectivehackers.blogspot.com/ ) for his insight,
> assistance, and suggestions -- the guy is a linux wizard, white-hat genius,
> and great friend.
>
> If anyone has suggestions for improvement or questions look me up.
>
> Best of luck,
>
> -Kevin-
>
>
> CMIYC 2012 sample:
> ----------------------
> He pondered a moment
> rummaged in his pack
> She was ashamed to
> shorter space of time
> to look at some
> treatment of the slaves
> I must be aware
> you and your master
> back of his head
> panel in the wall
> to his aid
> more capable of giving
> fathers shall eat
> establishment of so many
> have been here before
> There are a few
> upperhand
> a thousand years ago
> then he was thinking
> shall they utter
> Iamsorry1
> been able to find
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.